Labcorp agrees to $35M data breach settlement

The agreement will settle a data breach arising from an incident at debt collector American Medical Collection Agency (AMCA) in 2018.

What happened

Labcorp has agreed to settle a class action lawsuit stemming from a 2018 data breach that took place against Retrieval-Masters Creditor’s Bureau, Inc., also known as American Medical Collection Agency (AMCA). Labcorp had contracted AMCA to collect outstanding payments for Labcorp’s services, but AMCA was impacted by a data breach that ultimately impacted Labcorp patients.

Although multiple class action lawsuits were filed, they were ultimately consolidated into one suit: In Re: American Medical Collection Agency, Inc. Customer Data Security Breach Litigation, which is common in data breach suites.

The claims asserted in the lawsuit are typical of class action suits; Plaintiffs claimed negligence and breach of contract, among other allegations. Labcorp denied any wrongdoing but ultimately still agreed to a settlement of $35 million. A final fairness hearing has been scheduled for September 3rd, 2026.

The backstory

Labcorp was initially notified about the incident on May 14th, 2019, when the diagnostic testing provider learned that their data had been subject to unauthorized access. AMCA’s systems were breached between August 2018 and March 2019, an over six-month period where numerous files containing protected health information (PHI) were viewed or obtained. Other AMCA clients were involved, but the majority of impacted individuals came from Labcorp. In total, of the over 25 million victims, approximately 10,251,784 were from Labcorp.

In the know

Unique to this case, this lawsuit did involve several rounds of litigation, lasting about six years, before the parties agreed to settle the Labcorp component of litigation. The incident led AMCA to go bankrupt, putting the litigation pressure entirely on the organizations AMCA had partnered with, like Labcorp.

Why it matters

Even though Labcorp was only tangentially related to the breach, they still faced direct consequences for AMCA’s poor cybersecurity practices. Whenever a healthcare organization outsources certain tasks to another company, it’s critical they place close attention to how that company will handle protected health information. Furthermore, agreeing to a certain standard of data security at the time of the agreement doesn’t ensure those standards will be adhered to throughout the contract; healthcare practices should frequently audit, monitor, and check in with the companies, especially as threat tactics evolve.

Read more: The importance of audit trails during HIPAA compliance audits.

The big picture

The Labcorp settlement is one of the largest of the year, but many other data breach lawsuits and settlements have shown that data breaches are being taken seriously by the courts. Lawsuits like these serve three main purposes: to help individuals recoup damages, to punish organizations for failing to protect sensitive data, and finally, to serve as a warning to other healthcare companies that data security needs to be a top priority.

According to a Paubox report, the cost of a data breach rose to approximately $11 million in 2025. Year over year, we’ve seen costs steadily increase, and that trajectory appears unlikely to change, especially as AI revolutionizes and democratizes hacking. IBM has noted that certain business models, like Ransomware-as-a-Service (Raas) has made it easier than ever for non-tech savvy people to engage in cybercrime.

Large data breaches can be so severe that they destroy organizations, like in the case of AMCA going bankrupt. Even so, someone always has to be held responsible for the damages faced by victims.

FAQs

Is the AMCA suit fully resolved?

No, legal battles are still ensuing against other organizations involved, like Quest Diagnostics. Some legal battles, like the multi-state lawsuit formed from a coalition of 41 attorney generals, came to an end.

What happens to lawsuits if the defendant goes bankrupt?

When the defendant goes bankrupt, it can make a lawsuit significantly more complex, but it doesn’t mean the suit is thrown out. In some cases, bankrupt organizations will reform under a different name and still be held responsible. In other incidents, like this case, other organizations that could have prevented the breach, like Labcorp if they had more carefully monitored AMCA, can be held responsible.